Had any trouble reaching familiar sites recently? You might have taken a stray bullet in the ongoing epic battle between Dutch web host CyberBunker and non-profit international spam tracker SpamHaus.

CyberBunker operates out of a decommissioned NATO bunker; hence the name. The company claims to be "the only true independent hosting provider in the world" and allows customers to anonymously host "any content they like, except child porn and anything related to terrorism."

That promise apparently proved attractive to one or more groups of spammers, as SpamHaus traced significant spam traffic back to CyberBunker. They blacklisted CyberBunker and thereby cut off those spammers from close to two million Inboxes. In retaliation, CyberBunker launched what's been called the biggest cyber attack ever.

Amplified AttackCyberBunker attempted to shut down SpamHause with a serious DDoS (Distributed Denial of Service) attack. SpamHaus contacted Web protection company CloudFlare for help. CloudFlare determined that the attackers were using a technique called DNS reflection to generate overwhelming amounts of Web traffic on SpamHaus's servers.

The Domain Name System is an essential component of the Internet. DNS servers translate human-readable domain names like www.pcmag.com into IP addresses like 208.47.254.73. DNS servers are everywhere, and their level of security varies. In DNS reflection, the attacker sends many insecure DNS resolvers a small DNS request that generates a large response, spoofing the return address to that of the victim.

In a blog post last week, CloudFlare reported that over 30,000 DNS resolvers were involved. Each 36-byte request generated around 3,000 bytes of response, amplifying the attack by 100 times. At its peak, the attack battered SpamHaus with up to 90 Gbps of irrelevant network requests, overloading SpamHaus's servers.

Collateral DamageCloudFlare managed to mitigate the attack using a technology they call AnyCast. Briefly, all of CloudFlare's worldwide datacenters announce the same IP address, and a load-balancing algorithm directs all incoming requests to the nearest datacenter. This effectively dilutes the attack and allows CloudFlare to block any attack packets from reaching the victim.

That wasn't the end, though. According to the New York Times, the attackers then turned their sights directly on CloudFlare, in retaliation. The Times quoted CloudFlare CEO Matthew Prince as saying, "These things are essentially like nuclear bombs. It’s so easy to cause so much damage." The article also noted that millions of users have found themselves temporarily unable to reach certain websites due to the ongoing attack, specifically mentioning Netflix as an example.

CloudFlare elaborated on this extended damage in a new post today. First, the attackers went after SpamHaus directly. Next, they focused their attack on CloudFlare. When that didn't work, they moved the attack upstream to "providers from whom CloudFlare buys bandwidth."

CloudFlare's post stated, "The challenge with attacks at this scale is they risk overwhelming the systems that link together the Internet itself." And indeed, this escalated attack on top-level bandwidth providers caused significant connectivity problems for some users, mostly in Europe.

Not HidingAccording to the Times, a spokesman for CyberBunker took credit for the attack, saying "Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet. They worked themselves into that position by pretending to fight spam."

The CyberBunker website boasts of other run-ins with regulators and law enforcement. Its history page states "the Dutch authorities and the police have made several attempts to enter the bunker by force. None of these attempts were successful."

Protection Is Possible Fortunately, there's a way to end this type of attack. The Internet Engineering Task Force has published a Best Current Practice analysis (BCP-38) describing just how providers can prevent IP source address spoofing and thereby defeat attacks like DNS reflection.

CloudFlare has engaged in a bit of "name and shame" tactics, publishing the names of the providers with the biggest numbers of unsecured DNS servers. According to a CloudFlare blog post, after four months the number of open DNS resolvers went down by 30 percent. The Open Resolver Project lists 25 million insecure resolvers. Unfortunately, as CloudFlare's post notes, "the bad guys have the list of open resolvers and they are getting increasingly brazen in the attacks they are willing to launch."

The DNS system is absolutely essential to the functioning of the Internet; it needs the best protection we can give it. More providers need to close the security holes that allow this kind of attack. One of CloudFlare's stated goals is "to make DDoS something you only read about in the history books." We can hope!

[Not all experts agree about the magnitude of this attack's effects. Check our latest post for other views of the CyberBunker attack and its collateral damage.]

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.